Three vulnerabilities identified in ServiceNow platform
Security researchers have identified three critical vulnerabilities in ServiceNow’s IT service management platform that have left over 105 organizations exposed to data breaches. The vulnerabilities, tracked as CVE-2024-4879, CVE-2024-5217, and CVE-2024-5178 have been actively exploited by threat actors to steal sensitive information like email addresses, hashed passwords and other internal data from various entities using the vulnerable ServiceNow instances.
CVE-2024-4879 and CVE-2024-5217 have been rated with CVSS scores of 9.3 and 9.2 respectively, characterizing them as highly critical vulnerabilities. These flaws allow unauthenticated remote attackers to execute arbitrary code on affected ServiceNow instances. This can potentially lead to full compromise of the systems and complete data theft.
Researchers from Resecurity, who first reported these vulnerabilities, noted that the flaws have already been exploited in the wild on over 105 organizations’ ServiceNow deployments. Government agencies, data centers, energy companies and software development firms were among those affected. Stolen data from exploited systems was also being sold on cybercrime forums for just $5,000.
Technical details of the ServiceNow vulnerabilities
Upon further analysis, security firms found that CVE-2024-4879 allows attackers to bypass authentication, giving them unrestricted access to the ServiceNow platform without any credentials. CVE-2024-5217 lets them extract any type of data hosted on the system due to arbitrary file reading capabilities.
Another vulnerability, CVE-2024-5178 reported by Assetnote, involves privilege escalation. This can be used by an attacker who has already gained a foothold in the system to elevate privileges and take full control of the affected ServiceNow instance. When exploited together, the vulnerabilities effectively give remote hackers unauthenticated access to the backend database.
Organizations urged to apply patches immediately
As the flaws were simultaneously being exploited in active attacks, researchers and authorities strongly recommended all organizations using ServiceNow to immediately apply the available security patches. The US CISA also included the vulnerabilities in its known exploited list and directed agencies to remediate within a month.
ServiceNow acknowledged learning about the issues affecting instances running specific versions on May 14. The company said it had rolled out updates and patches to address the vulnerabilities. However, some affected parties were reportedly slow to apply the mitigations or running outdated ServiceNow software. This put their critical systems and sensitive data at high risk of cyber attacks and breaches.
Takeaways for organizations around ServiceNow vulnerabilities
The significant ServiceNow vulnerabilities and subsequent data breaches serve as an important reminder for organizations around maintaining updated systems and applying security patches promptly. Any delay can give attackers a window of opportunity to exploit known weaknesses. It is also crucial for cloud platform users to prioritize proper configuration and network hygiene. Proactive vulnerability management and monitoring for exploits can help boost the security posture and minimize window of exposures from technical issues.